Four Weeks On, Federal Domains Are Making Progress — But There’s Still a Long Way to Go

When the Department of Homeland Security directed all federal agencies to implement email authentication, it was clear that this would be a big challenge.

We found that only 18.5 percent of the 1,315 federal domains listed by the General Services Administration had deployed a DMARC record as of October 16, when the DHS directive (BOD 18-01) was first published. Even fewer, just 4 percent, were actually enforcing email authentication (with a DMARC record that was valid and set to a policy of quarantine or reject). Without enforcement, the remaining 96 percent of .gov domains remained vulnerable to email impersonation.

Four weeks later, the picture has improved, though it’s clear there’s still a long way to go yet.

Today 366 domains (27.8 percent) have published DMARC records, and the proportion of those that are actually valid is going up. Also, 108 are at enforcement, bringing overall fraud protection among .gov domains to 8.2 percent.

The success rate at getting to fraud protection (with a valid DMARC record and a policy of enforcement) has risen from 21 percent of all .gov DMARC records to 30 percent. For context, this is on the high side: Most private sector companies have a success rate close to 20 or 25 percent.

These are encouraging signs. Just one month after the appearance of BOD 18-01, the number of federal domains utilizing DMARC has increased by 123, and the number of domains that are using valid DMARC records has doubled, while overall fraud protection has also doubled.

Our figures align with those of the Online Trust Alliance, which also found agencies are making big strides.

“We thoroughly applaud the virtual overnight improvement following DHS’ recent directive,” said Jeff Wilbur, director of the OTA Initiative at the Internet Society, in a recent OTA press release.

Still, it’s clear that the government has much ground to cover. 92 percent of federal domains are still open to impersonation via email messages that misuse their domains in From addresses. And too many of those domains that have attempted DMARC are not achieving enforcement, either failing to get valid DMARC records or leaving those records at a policy of “none,” which provides visibility, but no protection.

Some of these agencies might not be getting the enforcement because of the difficulty they (or their DMARC vendors) have run into identifying and authorizing all the services that need to be able to send email on the agencies’ behalf. Without that visibility — and the ability to automate the process of updating DMARC, SPF, and DKIM records to accommodate changing needs — enforcement remains an elusive dream.

The DHS directive does not require agencies to set a policy of enforcement until late 2018. As we get closer to that deadline, no doubt we will see many more agency domains deploy DMARC. Whether they find it easy to achieve enforcement or not is another question.

With 61 days to go until agencies need to have at least a minimal DMARC record published, the race is on.